CVE-2024-29371
Unknown
Unknown - Not Provided
Denial-of-Service in jose4j via Malicious JWE Token Decompression
Vulnerability report for CVE-2024-29371, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jose4j | jose4j | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1259 | The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected. |